Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-16-MOBILE] [security] Summary of issues andrequirements for PKMv2



In the context of the PKMv2 approach I've been advocating, this affects
how the GAK (group AK) is generated.

Assuming you have GAKs (one per multicast group), then it is these that
need to be the same across 802.16 multicast groups across multiple BSs.
Without consideration for macro diversity, GAKs would be generated from
a real random number generator within the BS.

In the case of macro diversity, regardless of synchronization issues, at
the very least, the crypto keys need to match so that the on-air data is
the same and so can support macrodiversity. There is probably more to do
at the PHY level, but that it a different discussion.

So the working assumption is that for MBS type services, the network
would need to coordinate multicast groups across multiple BSs that are
within the MBS service flow and arrange to source the GAK for each
multicast group fram a central point.

For non MBS type service, we would continue to generate a GAK as a
strong random number, per BS, since this limits the intra-multicast
group spoofing opportunities.

DJ


-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of
Brederveld, Loeke (loeke)
Sent: Friday, May 28, 2004 4:34 AM
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues
andrequirements for PKMv2


OK, I start to understand the issue :-) So basically this means that the
bit stream of the (MAC level) multicast data must be indentical for all
Base Stations to make it possible for the MSS to correlate the data. So
the data should be in clear text, or it should be encrypted by identical
keys.

I assume, at least to support fast handover from Base Station to Base
Station, we need a central authority in the subnet to process
authentication of the MSS, and to generate / distribute the encryption
keys anyhow. With this unit in place, it should not be a big problem to
generate identical group keys for MAC level Multicasts / Broadcasts for
all Base Stations. Using identical keys, it should not be an issue to
make sure the bitstreams are identical, although I think it should make
live easier then the encryption process itself runs on the central unit
instead of on the Base Station. Helps also to keep the data between
central unit and the base station a bit more private ...

The timing of the transmission is an other issue of course :-)

Loeke

-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of Mike
MORETON
Sent: Friday, May 28, 2004 10:20
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues
andrequirements for PKMv2


I think what is being suggested is that transmissions from multiple BSs
are so well synchronised that to a receiver they look a bit like
different multi-paths, and hence an advanced PHY can use the additional
information to reduce errors.

Furthermore, there isn't a hard boundary between cells, as movement just
means that one multi-path gets stronger as another gets weaker.

Mike.

-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of ???
Sent: Friday, May 28, 2004 3:27 AM
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues
andrequirements for PKMv2

Hi, all,

I would like to clarify two words, 'broadcast' and 'macro diversity'.

1. I think the word 'broadcast' means the transmission to all MSS in a
cell,
    but 'broadcast' currently used in Multimedia Broadcast Service seems
    to mean the transmission only to authorized MSSs.
    Isn't this multicast transmission?

2. Does 'macro diversity' used in MBS mean only synchronization of
transmission
    and same CID among BSs?
    Or does 'macro diversity' mean that MSS receives the same data at
the same time
    from more than 2 BSs.
    If so, is it possible in IEEE 802.16e PHY?

Regards,
Kiseon Ryu,
LG Electronics




-----Original Message-----
From: owner-stds-802-16-mobile@LISTSERV.IEEE.ORG
[mailto:owner-stds-802-16-mobile@LISTSERV.IEEE.ORG]
Sent: Friday, May 28, 2004 1:01 AM
To: STDS-802-16-MOBILE@LISTSERV.IEEE.ORG
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues
andrequirements for PKMv2


Hello Loeke, all,

I think that you are pointing out the hart of the problem.
In some scenarios, there can be an interest to have a
broadcast/multicast service in which the same content will be
transmitted globally (for example a football game as a pay-per-view
service). In this case, transmitting same content in same time by all
cells (and taking the advantages of the frequency reuse 1 deployment),
will give a smooth reception, even at the cell edges (due to
macro-diversity reception), for the MSS, without service interruptions
due to handoff.

From my perspective, the above example is an example of a broadcast
service which should also be handled (even if it does not fit in a clean
way to our pure "data" oriented view).

Best Regards,
Itzik

-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of
Brederveld, Loeke (loeke)
Sent: Thursday, May 27, 2004 4:02 PM
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues
andrequirements for PKMv2

Hi Yigal, all,

I agree fully with you last sentence, that we have to make sure
everybody means the same thing using the term "broadcast", and for me,
coming from the data world, I seen already problems there. May be this
is an open door, but let's try to define the variuos 'broadcasts'

MAC level Broadcast: those MAC level frames which are intended for all
stations in a subnet. In Ethernet / 802.11 network addressed with the
destination MAC address ff ff ff ff ff ff.

IP level Broadcast: those IP level frames which are intended for all IP
stations, usualy only in a single IP subnet (else you can have big
problems :-) ). IP broadcast (255.255.255.255) do use the MAC level
Broadcaat destination address also.

Furthermore, you have MAC and IP level Multicasts: frames which are
intended to a select group of stations within an subnet. The station
itself can decide it will receive certain multicasts. IP level
Mulicats/Broadcast normally uses also MAC level Multicast/Broadcats
addressing.

I assume the "Multimedia broadcast" is an application level broadcast
(video and/or audio broadcast). Usualy these applications are using IP
level multicast (not all stations are interested in the application
level broadcast). In a single cell of a wireless data system, certainly
for 802.11 but as I understand, it is the same for 802.16, a multicast
is only transmitted once, and is encrypted with a groupkey which is
available to all authenticated stations in the cell.

With this in mind, I don't understand your concern: all stations in the
cell do receive the applcation broadcast content at the same moment.
Only the latency of their internal processing will cause a slight
difference in the moment the content is made available to the enduser.
Different cells will transmit the multicast on different times depending
e.g. on the length of the output queues, but depending on the QOS
parameters set for the type of traffic, the difference will be within
the acceptable latency period for that type of traffic, e.g. 50 ms. I
can't imagine this will be problem?

Loeke

-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of Yigal
Leiba
Sent: Tuesday, May 25, 2004 22:16
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and
requirements for PKMv2


Hi Jeff, all,

I have some concern with the issue of security for the multimedia
broadcast content. Please keep in mind the following facts: 1. In order
to fully utilize the possible macro-diversity effect for broadcast, we
have to ensure that the exact same data is transmitted at the exact same
time from all the BS. It could be that this requirement by itself rules
IP out as the convergence layer suitable for such content. 2. It is
desired that the broadcast content will be available to MSS in Idle mode
as well. Given these two issues, I think we want to make sure that when
using the word 'broadcast', everybody means the same thing.

Yigal


-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org]On Behalf Of Jeff
Mandin
Sent: Tuesday, May 25, 2004 5:12 PM
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: Re: [STDS-802-16-MOBILE] [security] Summary of issues and
requirements for PKMv2


DJ,

Our points of contention here seem to be what belongs inside the MAC and
what doesn't....

1. Preauthentication:   As I stated earlier, nothing in the preauth
message exchange affects the MAC state of any entity; and byzantine
message forwarding is not properly the job of the MAC layer.

Accordingly, if we add a primitive to the MAC Layer Management Entity's
external interface, we can easily accomodate  preauthentication as well
as other Master Key approaches such as the AAA-Server-based ones that
have been discussed in 802.11i .. ie.

    InstallMasterKey(MasterKey, MasterKeyId)

[ This assumes the Key caching mechanism from
http://grouper.ieee.org/groups/802/16/tge/contrib/C80216e-04_46r2.pdf ]

2. Support for Key Management by External Server - I agree with what you
wrote, so I'm not sure I understand your objection.  Are you stating
that distribution of MAC-layer keys by an external MBS should in fact an
objective for PKMv2?   My point is that if the MBS is to control data
access, then it is by definition doing it at L3 and hence way out of our
scope.

3. "Push" for Multicast TEK -  Thanks for the observations.  Asymmetric
signature is obviously the better approach, but would seem to
necessitate a CA infrastructure or something similar.

- Jeff

>
> Some thought edited in below.. DJ
>
>
>     -----Original Message-----
>     *From:* owner-stds-802-16-mobile@LISTSERV.IEEE.ORG
>     [mailto:owner-stds-802-16-mobile@LISTSERV.IEEE.ORG] *On Behalf Of
>     *Jeff Mandin
>     *Sent:* Monday, May 24, 2004 11:33 AM
>     *To:* STDS-802-16-MOBILE@LISTSERV.IEEE.ORG
>     *Subject:* [STDS-802-16-MOBILE] [security] Summary of issues and
>     requirements for PKMv2
>
>     To the Security Adhoc group,
>
>      [snip]
>     4.  It's been considered desirable to support a model where a
>     backend server (eg. multimedia broadcast content distribution
>     server) is responsbile for key management.
>
>          [ I think that the best way to support such a broadcast
>     distribution model would be with IP-layer security/key management
>     and IP multicasting.  Then the MAC layer (ie.BS-to-multiple-SS)
>     security/key mgt. would be entirely transparent to the content
>     broadcast service.]
>
>     I have a problem with defining an IP distribution mechanism since
>     it is not layer 2. Certainly a management procedure or recommended
>     practice could map IP distibution to a well defined L2
>     distributions. However at the least we need to provide a L2
>     distribution mechanism within the MAC. We cannot assume IP to be
>     present, particularly with the ethernet, 802.1Q and ATM
>     convergence sublayers.
>
>      [snip]
>     6.  The PKM-KeyReq/Key-Rsp is inefficient for distributing TEKs of
>     Security Associations that are actually used by multiple SS. ie.
>     as things stand now, each individual SS sends a KeyReq and
>     receives the key in KeyRsp.  A more efficient "push mode" TEK
>     distribution is desirable.
>
>     For this to be possible, without enabling forgery by members of
>     the multicast group, it seems that the 'pushed' key needs to be
>     signed with the BS private key, using an asymmetric key digest
>     mechanism (RSA? DSA?).
>
>     There is a lesser level improvement, which is BS initiated key
>     transfer. This allows the BS to preempt the key transfer time and
>     spread the load of key transfers.
>
>      [snip]
>     8.   Support for Pre-authentication is desirable - ie. enabling an
>     SS to authenticate with a potential target BS via the backbone
>     (and establish a shared Master Key) before doing the HO.
>
>         [Preauth is an important feature, and can coexist with schemes
>     that receive freshly-derived Master Key material from a trusted
>     peer BS or ASA server..  However there seems to be no particular
>     motivation for running preauthentication inside the MAC - instead:
>     preauthentication via a higher-layer mechanism (eg. PANA) using
>     the ordinary packet transport is appropriate.  Note also that
>     running preauthentication inside MAC mgt messages leads to clumsy
>     multiple-step proxying, as the BS security sublayers would
>     sometimes need to forward messages between subnets or to different
>     providers]
>
>     Same L2-L3 argument as for key distribution above.
>     Pre-auth and cunning key derivation schemes could indeed co-exist.
>     I'm not sure if the world will thank us for picking 2 solutions
>     though. It seems that effective pre-auth needs to be tied into the
>     handover decision making entity (in the NMS?) since it is that
>     that knows where it might want to pre-auth to. I suspect a similar
>     line of reasoning applies to key derivation schemes. Either way,
>     its an argument for putting the fast handover security messaging
>     in the right place in the architecture.
>
>
>     - Jeff Mandin
>     Security Adhoc Chair
>
>     DJ
>
>